[SCM] kio packaging branch, master, updated. debian/5.28.0-1-14-g6a34213

[Maximiliano Curia]

Gitweb-URL: http://git.debian.org/?p=pkg-kde/frameworks/kio.git;a=commitdiff;h=30452c6

The following commit has been merged in the master branch:
commit 30452c66da0774c8cabba76e6e8fa377fe79ec56
Author: Maximiliano Curia <maxy at gnuservers.com.ar>
Date:   Tue Apr 4 17:40:04 2017 +0200

    Add new upstream patch for CVE-2017-6410: Sanitize-URLs-before-passing-them-to-FindProxyForURL.patch
    
    Closes: 856889
    Thanks: Salvatore Bonaccorso for reporting
---
 ...Ls-before-passing-them-to-FindProxyForURL.patch | 39 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 40 insertions(+)

diff --git a/debian/patches/Sanitize-URLs-before-passing-them-to-FindProxyForURL.patch b/debian/patches/Sanitize-URLs-before-passing-them-to-FindProxyForURL.patch
new file mode 100644
index 0000000..01e7f62
--- /dev/null
+++ b/debian/patches/Sanitize-URLs-before-passing-them-to-FindProxyForURL.patch
@@ -0,0 +1,39 @@
+From: Albert Astals Cid <aacid at kde.org>
+Date: Tue, 28 Feb 2017 19:00:48 +0100
+Subject: Sanitize URLs before passing them to FindProxyForURL
+
+Remove user/password information
+For https: remove path and query
+
+Thanks to safebreach.com for reporting the problem
+
+CCMAIL: yoni.fridburg at safebreach.com
+CCMAIL: amit.klein at safebreach.com
+CCMAIL: itzik.kotler at safebreach.com
+---
+ src/kpac/script.cpp | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp
+index b009bc99..916f647a 100644
+--- a/src/kpac/script.cpp
++++ b/src/kpac/script.cpp
+@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url)
+         }
+     }
+ 
++    QUrl cleanUrl = url;
++    cleanUrl.setUserInfo(QString());
++    if (cleanUrl.scheme() == QLatin1String("https")) {
++        cleanUrl.setPath(QString());
++        cleanUrl.setQuery(QString());
++    }
++
+     QScriptValueList args;
+-    args << url.url();
+-    args << url.host();
++    args << cleanUrl.url();
++    args << cleanUrl.host();
+ 
+     QScriptValue result = func.call(QScriptValue(), args);
+     if (result.isError()) {
diff --git a/debian/patches/series b/debian/patches/series
index 6899040..fff9c36 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,4 @@ Fix-another-clear-porting-bug-in-ForwardingSlaveBase.patch
 kssl-Ensure-user-certificate-directory-has-been-created-b.patch
 Fix-memleak-in-KDynamicJobTracker-KWidgetJobTracker-needs.patch
 Fix-parsing-of-directories-listing-on-a-specific-ftp-serv.patch
+Sanitize-URLs-before-passing-them-to-FindProxyForURL.patch

-- 
kio packaging